Klez: the self-destroying virus

A variant of the Klez virus was set to go into action over the weekend, erasing a host of files on infected hard drives. But the attack may also wipe out the attacker.

The 8-month-old mass-mailing computer virus called Klez.E triggers its payload on the sixth day of March, May, September and November, erasing 14 different types of files, including Word documents and HTML files.

But the variant has all but disappeared from the Internet, said Vincent Gullotto, director of the antivirus emergency response team at security company Network Associates, and the year's two remaining payloads should call attention to the few computers still infected with Klez.E, allowing the pest to be exterminated.

The Klez.E variant runs a distant second to its far more prevalent Klez.H cousin, making up only 3 per cent of the junk email associated with the Klez virus. Klez.H accounts for the other 97 per cent.

Data from email services provider MessageLabs shows that in August, the company intercepted 580,000 emails carrying the prolific Klez.H variant but only 16,000 carrying Klez.E. On Thursday, the minor Klez variant was present in only 338 infected emails in the last 24 hours.

Klez.E arrives in email and uses an old flaw in Microsoft Internet Explorer to execute automatically. On infected PCs, the computer virus activates a malicious payload and overwrites any file accessible to it -- both local and on the network -- of the following types: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak and .mp3.

Klez.H doesn't overwrite files but it may randomly choose a document from a victimized computer and attach it to the emails it sends out to spread itself. In addition, Klez.H spoofs the sender's address to make it look like a random person from the infected PC's address book is actually sending the virus-laden mail. This makes it harder to pinpoint an infected system and can lead to a muddle when people without the pest are told they have it.

Robert Lemos writes for News.com